|
Thanks Magnus, please see inline.
From: Magnus Westerlund <magnus.westerlund@xxxxxxxxxxxx> Hi, Having read up more on RFC 9303 I still don’t see how the LISP-SEC mechanism in any form source node authentication of the ITR that makes the MAP-REQUEST. I see a mechanism
that tries to prevent modification enroute of the MAP-REQUEST and the MAP-REPLY. Am I missing something here? So there is clearly a deployment dependencies here. I think for a limited scope deployment you can secure this by using a restricted overlay for the control plane so
that not anyone can send these to the relevant nodes. [AR] You can see this model on production deployments of (pre-standard) PubSub. However, for a large scale multi domain deployment this becomes tricky. Source authentication requires that one knows all the xTRs that can make subscription requests
and thus can verify their right to do it. [AR] If needed, this role can be taken by Map-Resolvers. We could include recommendations to deploy Map-Resolvers that can verify if a given xTR can subscribe and drop their subscription requests
if otherwise. Map-Servers could be configured to only accept subscription requests from Map-Resolvers that are filtering requests.
Otherwise we are more looking at this systems as DNS with a subscription for updates. Anyone can ask to install state, and the node needs to be very careful with that.
To me it appears that this later is part of your threat model, and there are not sufficient warnings in place or restricting the scope of the usage of the mechanism.
[AR] I think this is fair. We could probably include guidance on how PubSub should be only used when proper verification of xTRs can take place (e.g. via restricted overlay, filtering Map-Resolvers,
or any other means) In addition there was no protection against spoofed source addresses, making the issue even worse, but that appear to be reasonably fixable.
Cheers Magnus
From: mohamed.boucadair@xxxxxxxxxx <mohamed.boucadair@xxxxxxxxxx> Hi Magnus,
Thanks. The change will be in -11. Authenticating subscription requests and ensuring their integrity protection build on 9301 and 9303. Specifically, spoofed Map-Requests (including
tampering xTR-IDs) falls under this part from 9301: Deployments concerned about
manipulations of Map-Request and Map- Reply messages and malicious ETR EID-Prefix overclaiming MUST drop LISP control plane messages that do not contain LISP-SEC material (S-bit, EID-AD, OTK-AD, PKT-AD). See Section 3 of [RFC9303] for definitions of "EID-AD", "OTK-AD", and "PKT-AD". Mechanisms to encrypt, support privacy, and
prevent eavesdropping and packet tampering for messages
exchanged between xTRs, between xTRs and the Mapping System, and between nodes that make up the Mapping System
SHOULD be deployed. Examples of this are DTLS [RFC9147] or "lisp-crypto" [RFC8061]. In order to insist on the guard to avoid manipulating xTR-IDs, we made this change:
OLD: Generic security considerations related to LISP control messages are discussed in Section 9 of [RFC9301].
NEW: Generic security considerations related to LISP control messages are discussed in Section 9 of [RFC9301]. To prevent xTR-ID hijacking, it is RECOMMENDED to follow guidance from Section 9 of [RFC9301] to ensure integrity protection of Map-Request messages. Cheers, Med De : Magnus Westerlund <magnus.westerlund@xxxxxxxxxxxx>
Hi, I think this is a good step forward in at least acknowledging the issue from an overload perspective that can just occur. I think this is likely solved, but I want to
see how what are the conclusions on preventing spoofed registrations. Cheers Magnus
From: mohamed.boucadair@xxxxxxxxxx <mohamed.boucadair@xxxxxxxxxx> Re-, Fully agree that dedicating a small fraction of resources (not only links capacity but also CPU) is a good advice, but I don’t think we can
use any normative language for this. I tweaked the proposed text as follows: NEW:
As a reminder, the initial transmission and retransmission of Map- Notify messages by a Map-Server follow the procedure specified in Section 5.7 of [RFC9301]. Some state changes may trigger an overload that would impact, e.g., the outbound capacity of a Map-Server. A similar problem may be experienced when a large number of state were simultaneously updated. To prevent such phenomena, Map-Servers SHOULD be configured with policies to control the maximum number of subscriptions and also the pace of Map-Notify messages.
For example, the Map-Server may be instructed to limit the resources dedicated to handling unsolicited Map-Notify messages to a small fraction (e.g., less than 10%) of its overall processing and forwarding capacity. The exact details to characterize such policies are deployment and implementation specific. Likewise, this document does not specify which notifications take precedence when these policies
are enforced. Hope this is better. Cheers, Med De : Magnus Westerlund <magnus.westerlund@xxxxxxxxxxxx>
Hi, That is a good start. The general problem for this type of problem is that one can reasonably calculate a pacing schedule based on target bit-rate at the outgoing interface.
What one doesn’t know is if what path the various message takes and if that is part of a traffic load causing congestion. The Map-Server will get some indication on potential congestion issue if it has to retransmit many messages as they aren’t acked. I would
think the most general thing I would say is to recommend that the pacing target a bit-rate that is no more than a small fraction of the expected bandwidth of the links to the xTRs.
That is likely preventing enough issues that there is no point in doing more advanced solution. But that is me assuming that the control plane will mostly run over links
with Gbps+ capacity and that one configure this to not burst above like 1-5% of the link capacity one will not have any issues. But if there is more limited capacity or larger deployments maybe the completion time become an issue for each update. Cheers Magnus
From: mohamed.boucadair@xxxxxxxxxx <mohamed.boucadair@xxxxxxxxxx> Re-, Thanks Magnus for clarifying.
I suggest to add the following in Section 6: NEW: As a reminder, the initial transmission and retransmission of Map- Notify messages by a Map-Server follow the procedure specified in Section 5.7 of [RFC9301]. Some state changes may trigger an overload that would impact, e.g., the outbound capacity of a Map-Server. A similar problem may be experienced when a large number of state were simultaneously updated. To prevent such phenomena, Map-Servers SHOULD be configured with policies to control the maximum number of subscriptions and also the pace of Map-Notify messages. The exact details to characterize such policies are deployment and implementation specific. Likewise, this document does not specify which notifications take precedence when these policies are enforced. Do we need to say more without going too much into implementation territory? Cheers, Med De : Magnus Westerlund <magnus.westerlund@xxxxxxxxxxxx>
Hi Med,
_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. |
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
